CN102047606A - Decoupling of measuring the response time of a transponder and its authentication - Google Patents

Decoupling of measuring the response time of a transponder and its authentication Download PDF

Info

Publication number
CN102047606A
CN102047606A CN2008801294151A CN200880129415A CN102047606A CN 102047606 A CN102047606 A CN 102047606A CN 2008801294151 A CN2008801294151 A CN 2008801294151A CN 200880129415 A CN200880129415 A CN 200880129415A CN 102047606 A CN102047606 A CN 102047606A
Authority
CN
China
Prior art keywords
transponder
reader
random number
random
designed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2008801294151A
Other languages
Chinese (zh)
Inventor
彼得·蒂林格
汉斯·德容
布鲁斯·默里
海克·诺伊曼
保罗·胡伯默尔
苏珊·斯顿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Koninklijke Philips NV
Original Assignee
Koninklijke Philips Electronics NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics NV filed Critical Koninklijke Philips Electronics NV
Publication of CN102047606A publication Critical patent/CN102047606A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04B5/48
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Abstract

Reader (420) for determining the validity of a connection to a transponder (440), designed to measure a response time of a transponder (440) and to authenticate the transponder (440) in two separate steps. Transponder (440) for determining the validity of a connection to a reader (420), wherein the transponder (440) is designed to provide information for response time measurement to said reader (420) and to provide information for authentication to said reader (420) in two separate steps, wherein at least a part of data used for the authentication is included in a communication message transmitted between the reader (420) and the transponder (440) during the measuring of the response time.

Description

Measure disconnection and the authentication thereof of the response time of transponder
Technical field
The present invention relates to a kind of reader, be used to be determined to the validity of the connection of transponder, described reader is designed to measure the response time of transponder and authenticates described transponder.In addition, the present invention relates to a kind of transponder, be used to be determined to the validity of the connection of reader, described transponder is designed to be provided for the information that the response time measures to described reader, and the information that is provided for authenticating to described reader.In addition, the present invention relates to a kind ofly be used for the method for validity that reader is determined to the connection of transponder, and a kind ofly be used for the method for validity that transponder is determined to the connection of reader.In addition, the present invention relates to a kind of program unit.In addition, the invention still further relates to a kind of computer-readable medium.
Background technology
When using transponder (specifically being smart card and RFID label), so-called " relaying (relay) attack problem " appears.Usually, the reader of very close transponder reads transponder (near-field communication).Relay attack discharges this local binding, is used for criminal offence.
In example, people A is in the bar and his car is parked in the front in bar.Described car is equipped with the less key (this is to say to utilize the transponder accesses car, specifically is smart card) that enters feature.The transponder reading of data of people B from the A pocket, and the people C that is standing to the car side via mobile phone sends data.According to this method, C can open car and not learn burglar's chance to A.
Because the transmission via for example GSM takies the longer response time than near-field communication, when reader reads transponder, can measure measuring of response time and detect this relay attack.If the response time exceeds preset time window, then denied access.Because more and more faster transmission means attempt to make this time window as much as possible little.
Yet, during authenticating, need the time to be used for encrypt/decrypt.Because the algorithm of authentication becomes and becomes increasingly complex, there is physical restriction for time window.
Hancke, G.P., Kuhn, M.G., " An RFID Distance Bounding Protocol ", First International Conference on Security and Privacy for Emerging Areas in Communications Networks 2005, pp.67-73, disclosed radio frequency identification token,, then received relay attack easily if it is used for contiguous authentication such as non-contact smart card.The assailant can use the transponder of transmitting switching signal to manage to avoid the limited range of radio channel beyond farther distance.That encrypts provides the possibility countermeasure apart from border protocol, and described agreement is accurately measured the round-trip delay of radio signal.Described agreement is propagated the coboundary that can not derive the distance between reader and the token faster than the fact of the light velocity from information.Disclosed a kind of based on ultra-wideband pulse communication apart from border protocol., low-power hardware simple, asynchronous at only using in token realizes that this method specifically is suitable for passive low consumption token, noise circumstance and high-speed applications.
Summary of the invention
Therefore, the purpose of this invention is to provide a kind of reader of operating according to secured fashion and or transponder.
By realizing purpose of the present invention according to a kind of transponder of independent claims, a kind of reader, method, a kind of program unit and a kind of computer-readable medium.
According to exemplary embodiment, a kind of reader (it can link to each other communicatedly with transponder) is provided, be used to be determined to the validity (specifically being the authorization response device that can link to each other) of the connection of transponder with reader communication ground, wherein two separation steps (specifically be by between the communication information of two separation sending of the time interval) in finish the measurement of the response time of transponder and (specifically be in response to the corresponding requests of reader, wherein the response time can be from reader to the transmission request of transponder and receive response from the time interval between the response of transponder) and the authentication of transponder (specifically be by after formerly sending another unencrypted communication information, send the communication information of encrypting from transponder to reader, so that the response time measures).During the measurement of response time, the communication information of transmission between reader and the transponder (specifically being before authentication) can comprise at least a portion data that are used for (specifically being subsequently) authentication.
According to another exemplary embodiment, the validity that provides a kind of transponder to be used to be determined to the connection of reader wherein is provided for information that the response time measures and the information that is used to authenticate to described reader in two separation steps.During the measurement of response time, can comprise at least a portion data that are used for (specifically being subsequently) authentication at the communication information that transmits (specifically being before authentication) between reader and the transponder.
According to another exemplary embodiment, provide a kind of reader (or by reader execution) that is used for to determine (reader) method to the validity of the connection of transponder, described method comprises:
Reader sends first order (such as first communication information) and the second random number (step 1) to described transponder;
Reader receives first random number (specifically being the plaintext form) (step 2) from described transponder;
Reader receives the encryption of first random number and the encryption (step 3) of second random number (specifically being encrypted form) from transponder;
Reader utilizes the same key of using with transponder that the number (specifically being first and second random numbers of encrypting) that receives is decrypted, or utilizes described key that first random number and second random number are decrypted (step 4);
First random number of reader checking procedure 2 and second random number whether with first random number and the consistent (step 5) of second random number of step 3;
Whether at the fixed time the reader check receives the first random number (step 6) in the window; And
If the result (specifically) of the result of check and check in step 6 be true in step 5, then reader is thought the effective (step 7) of being connected to of transponder.
According to another exemplary embodiment, a kind of method of validity that transponder is determined to the connection of reader that is used for is provided, described method comprises:
Transponder receives first order and second random number from described reader;
Transponder sends first random number to described reader;
Transponder sends the encryption of first random number and second random number to described reader.
According to another exemplary embodiment (detailed explanation and corresponding description are provided in Fig. 5), a kind of method of validity that reader is determined to the connection of transponder that is used for is provided, described method comprises:
Send first order and second random number to described transponder;
Receive first random number from described transponder;
To first message authentication code (MAC) of transponder transmission based on first random number and the generation of second random number;
Receiving from transponder can be based on second message authentication code (MAC) of first random number and the generation of second random number;
Check second message authentication code (MAC) whether effective;
Whether at the fixed time check receives first random number in the window; And
If the result of check is true, think that then being connected to of transponder is effective.
According to another exemplary embodiment (detailed explanation and corresponding description are provided in Fig. 5), a kind of method of validity that transponder is determined to the connection of reader that is used for is provided, described method comprises:
Receive first order and second random number from described reader;
Send first random number (making an immediate response particularly) to described reader in first order that receives;
From first message authentication code (MAC) of reader reception based on first random number and the generation of second random number;
Check first message authentication code (MAC) whether effective;
When first message authentication code (MAC) is effective, send second message authentication code (MAC) that produces based on first random number and second random number (when first message authentication code (MAC) is invalid to reader, transponder can send another message authentication code (MAC) that is not based on first random number and the generation of second random number to reader, for example can produce with the indication authentification failure).
According to another exemplary embodiment, a kind of program unit (for example the software routines of source code or run time version, for example can download) is provided, when processor was carried out, it was suitable for controlling or carrying out one of method that has above-mentioned feature.
According to another example embodiment of the present invention, a kind of computer-readable medium (for example CD, DVD, USB rod, floppy disk or hard disk) is provided, wherein store computer program, when being carried out by processor, described computer program is suitable for controlling or carrying out one of method that has above-mentioned feature.
Can realize by computer program (promptly by software) or by use one or more special electronic optimization circuits (promptly by hardware) or with mixed form (promptly by software unit and hardware cell) according to the data processing that the embodiment of the invention is carried out.
RFID label or (for example noncontact) smart card can specifically be represented in term " transponder ".More specifically, transponder can be a kind of equipment (for example comprising chip) that can send specific (for example encoding) data when being activated by the distinctive signal from interrogator automatically.
A kind of base station that is suitable for sending the electromagnetic radiation wave beam with the signal of reading that transponder and detection of reflected are returned or emission can specifically be represented in term " reader ".Reader can be adapted for by one in the following group of forming: read and/or write device, RFID reader, noncontact chip-card readers, passive balise and near-field communication equipment.Yet, also can communicate based on wireline interface.
One or more " application " can be provided by the communication system that reader and transponder form.Service in the communication system that this application can specifically be represented to be formed by reader and transponder, transponder and/or can provide contribution for this service.Providing of this contribution can relate to the ability that transponder provides storage or the data of calculating, disposal ability or the like is provided.The example of this service is: the user of transponder pays the expense of using public transport, purchasing price of wireless payment system payment article or the like.
Term " message authentication code " (MAC) can specifically represent to be used for the short message of authentication message.The MAC algorithm can be accepted the message of privacy key and the random length that will authenticate as input, and can export MAC.The MAC value can be protected the data integrity and the authenticity thereof of message by allowing authentication (also having this privacy key or corresponding public-key cryptography).
Term " cyclic redundancy check (CRC) " (CRC) can specifically be represented data flow with any length as input, and produces the type (or its output) of the value (for example integer of specific bit number) of particular space as the function of output.CRC can as verification and, change with the data during detect sending.
Embodiments of the invention provide following advantage: be used for the communication of response time measurement and the communication that is used for security purpose by timely separation, can carry out being connected to effective (this is of thinking between reader and the transponder to determine whether to destroy to connect) with higher certainty.In other words, this means specifically to be relay attack with higher Probability Detection to attacking.This can disconnect the required time of cryptographic operation by the measurement from response time of transponder and realize.In addition, can use synergistically that the communication between the reader and transponder transmits the sign indicating number that is used to subsequently authenticate during time measurement part.This can allow utilized bandwidth and initial phase very effectively fast.In addition, by exchanging this sign indicating number, can stop the parallel generation of this sign indicating number in two entities, therefore reduce the computation burden of system, this is because only this sign indicating number of the generation of in two entities is just enough.For example, can carry random number from transponder to first order of measuring that makes an immediate response of reader request reader, as the part sign indicating number that is used for follow-up encrypting and authenticating in the response time.
Embodiments of the invention can also have the following advantages:
For example, this system can be applicable to a large amount of transmissions, also can be used for the keyless access system in vehicle and a plurality of other application.
For example, Dui Ying communication system can be applicable to only in the DRM of ad-hoc location consumption protection content.
For example, the prisoner that Dui Ying communication system can be applicable to stay at home in paroling.
Therefore, embodiments of the invention provide a kind of suitable solution, are used to determine the validity that connects between reader and transponder.
Hereinafter, another embodiment of reader will be explained.Yet these embodiment also are applied to described transponder, described method, described program unit and described computer-readable medium.
According to exemplary embodiment, described reader can be designed as measures the response time, receives time interval between first random number as first order that sends to described transponder from described reader with in response to first order from described transponder.In other words, the response time can indicate transponder to reply the time that needs to the inquiry transmission of reader.When reader is measured this time interval, can estimate that transponder is used to send the time of the first random number needs.Under the relay attack problem situation of (this relates to owing to attack the additional transmit path that causes), this time will be longer than predetermined threshold.When transponder is not encrypted first random number before transmission first is counted to reader at random under the situation about measuring in the response time (therefore wishing does not have because the delay that encryption causes), any additional delay between reader and transponder the transmission of news causes relay attack probably.It is effective not existing this additional delay then can allow reader to release with communicating by letter of transponder.Particularly, receive in the scene of first random number with plain text or unencrypted form at reader (in response to first request), the response time of transponder is the suitable tolerance that is used to determine whether to exist the relay attack problem.For example, if the response time of measuring less than predetermined threshold, can be effective with the link sort between transponder and the reader.
Also with reference to the foregoing description, described reader can be designed as based on following evaluation and comes the authentication response device: whether the encryption of first random number that receives from transponder after receiving first random number that is used to measure the response time (this is in response to first random number that second request sends according to the mode of encrypting to reader from transponder) and being used to of receiving are measured first random number of response time consistent.In other words, will compare in response to first order first random number that sends and first random number that sends in response to second order (after deciphering, encryption first random number that can send to reader from transponder).Therefore, can disconnect the response time measurement from authentication verification, this is owing at first send the same random number that does not have encryption, only is used for response time measurement purpose, and resends same random number subsequently according to the mode of encryption, is used for authentication purpose.
In a preferred embodiment, described reader can be designed as to be measured the response time, as sending first order and second random number to described transponder and receiving from the time interval between first random number of transponder in response to first order.In other words, with sending first request, reader can send second random number to transponder simultaneously, and described second random number can be used at least one of following two purposes subsequently.A purpose is that transponder can use second random number of reception so that derive the 3rd random number, and transponder can use described the 3rd random number in dialogue in the future.Second purpose is that this second random number that sends to transponder from reader can also (except first random number) be used for authentication purpose, such as will be hereinafter explanation.
Promptly, described reader can be designed as based on following evaluation comes the authentication response device: receiving after first random number is used to measure the response time, whether the encryption of second random number that receives from transponder and the encryption of first random number and being used to of receiving are measured first random number and second random number of response time consistent.In this scene, reader can send second random number to transponder under the situation of response time measurement.In process subsequently, then transmitter can utilize simultaneously and store first random number in the transponder and received second random number from reader, can encrypt authentication message.Can encrypt together these two random numbers with (reader is also known) specific key.This can allow to discern transponder safely, and guarantees that simultaneously the transponder and the reader of only authorizing communicate, and has therefore eliminated the relay attack problem with the fail safe of height.
Described reader is designed to, have only when determining that the response time at interval at the preset time window (for example, the preset time window is less than predetermined threshold) interior AND when between first random number (and optionally additional second random number) that reader sends with the form of encrypting, having consistency simultaneously from transponder, think being connected to effectively of transponder.Therefore, the logic AND between two criterions is in conjunction with being necessary, to accept being connected to effectively between transponder and the reader.First criterion is the time interval that transponder is used to respond first order to be shorter than predetermined threshold.This can guarantee to get rid of the possibility of relay attack problem.Owing to carry out the transmission of first response, and transponder is not carried out any processing load or task, is the suitable measurement that is used for the length of transmission path between transponder and the reader in actual transmitting time under the situation of relay attack problem, and can significantly change.Second criterion is guaranteed also to provide the password of encryption in response to the identical transponder of first order, by the combination of first random number (being stored in the transponder) and second random number (by reader together with the first order transmission) can the described encryption of form password.
Described reader is designed to be split as the data that are used to authenticate of a plurality of communication informations and/or to be used for the contiguous data of checking with the reader exchange.Therefore, need not all authentication informations or all contiguous checks (for example, measuring by the response time) information are included in the single message that exchanges between reader and the transponder.On the contrary, correspondence code can be divided into different piece, can send described different piece from reader to the different communication message that transponder sends, or vice versa.For example, being close to check can be divided into a plurality of fragments and obtain precise time information.
Described reader is designed to send first order (can comprise second random number) with Cyclic Redundancy Check.Compare with ISO 14444-4 system, this notion is diverse method, and ISO 14444-4 system relies on and is attached to from the CRC of reader to the ending of the data division of label communication.Embodiments of the invention can be attached to CRC from label on the response message that reader sends, and are used for error correction.Determine not have the distortion of communication for reader and occur, this CRC can comprise first order (comprising second random number) and response (comprising first random number).
Next, another embodiment of transponder will be explained.Yet these embodiment also are applied to described reader, described method, described program unit and described computer-readable medium.
Described transponder is designed to send first random number to reader, is used for measuring in response to the response time of first order that receives from transponder.Can send this first random number from transponder to reader according to unencryption (or expressly) form.By adopting this measure, the ciphering process that reader will be carried out can not postpone the measurement that reader sends order and receives the time interval between the response from transponder artificially, this is because the execution of this ciphering process can increase the response time artificially so that can not and the existence of the rule response of the authorization response device that communicates of reader and relay attack problem between distinguish.Therefore, send first random number in the unencrypted mode and can increase reliability about the judgement of validity.
Particularly, described transponder can be designed as to reader and sends first random number that does not postpone, and is used for the response time measurement.Therefore, transponder be can dispose in this manner,, additional treatments or similar any delay are not used for and can not increase so that take place as quickly as possible in response to the transmission of first first random number of ordering.This can allow to increase with reliable fashion and detect the possibility that does not have the relay attack problem.
Described transponder is designed to send first random number in response to first order, and described first order comprises second random number.Therefore, first order can comprise second random number, uses the trigger of described second random number as transponder, is used to send it back the response that comprises first random number.For example, after reader sends first random number, transponder can produce and store the 3rd random number based on second random number, is used for session in the future (session persistence and card leave the same time of growing of a-n radio range a-n of reader once more) to substitute first random number.For example, storage second random number is possible in transponder, special algorithm is applied to second random number calculates the 3rd random number.After sending it back first random number, finish this all operations, that is, do not have in the time interval of disposal ability at transponder to reader.This process can allow to upgrade first random number that is used for another dialogue, so that the communication between transponder and the reader, owing to be used for the change of the random number of response time measurement and authenticated exchange between transponder and the reader, further increased fail safe thus.
Described transponder is designed to send the encryption of first random number receiving the transmission first order back after second order of described transponder transmission.Therefore, after reader had received first random number from transponder according to the unencrypted mode, reader can send second order.
Yet, when transponder is carried out first random number with encryption that second random number combines, this has guaranteed that to reader transponder not only replys to get rid of the relay attack problem according to enough fast mode, also authorize present communication transponder to be used for this communication, this is because the knowledge of these action need first and second random numbers and encryption key.
The coded communication message that comprises first and second random numbers when reception is so that when authentication, and reader has two chances.First chance is that the communication information to the encryption that comprises first and second random numbers that obtain from transponder is decrypted, and deciphering first and second random numbers are expressly compared with first and second random numbers in the memory that is stored in reader.That is, reader receives first random number from transponder according to the first answer form.In addition, because reader sends second random number to transponder, known second random number of reader with first order.Second chance is that the well-known key that reader utilizes transponder also to use is encrypted the first and second known random numbers.Then, the communication information of the described encryption of reader generation is compared with second response that obtains from transponder.
Described transponder is designed to analyze the communication information with the reader exchange, and whether the definite response device is positioned at the vicinity of reader thus, and termination is communicated by letter when the definite response device is not positioned at reader contiguous.Therefore, reader not only can analyze vicinity enough between reader and the transponder (for example, the distance between reader and the transponder less than threshold value or response time less than threshold value), can also carry out check and whether carry out predetermined criterion about enough vicinities.Checking contiguous check (VPC) message and response can allow to determine contiguous (content that reader carries out time measurement and checks transponder to receive and send, transponder are checked the content of its reception and the content that reader receives).
Described transponder is designed to be split as the data that are used to authenticate of a plurality of communication informations and/or be used for the contiguous data of checking with the reader exchange.Therefore, will all authentication informations or all contiguous checking informations (for example, measuring) by the response time be included in the single message that exchanges between reader and the transponder.In contrast, correspondence code can be divided into different piece, can be by sending described different piece to the different communication message that transponder sends from reader, or vice versa.For example, being close to check can be divided into a plurality of fragments and obtain precise time information.
Described transponder is designed to send first random number and Cyclic Redundancy Check to reader.By can execution error recovering for the response application CRC that comprises order.Can order based on RAC1, random number #1 and random number #2 calculate CRC.
Described transponder is designed to send and encrypts and information, and described information has been indicated the timing of the communication between transponder and the reader, specifically is speed.This information can be indicated the speed of operating between the communication parter.Can comprise the corresponding data part in the communication information that exchanges between reader and the transponder, and corresponding data partly can be called the PPSE data field.Reader can use this field to stop and the communicating by letter of transponder.
Described transponder is designed to detect and limit frequency, when operate at described frequency place, in case frequency in boundary in addition then stop and the communicating by letter of reader.Carry out this operation so that can not increase residue relay attack window.
Response for the transponder order can only comprise RndR a plurality of bytes in addition, comprises CRC alternatively.The transponder order does not have CRC.In another embodiment, can change, so that in transponder order (comprising random number), after the part RndR that transponder sends, be CRC, as the extension that receives part RbdR.The reader of front does not have the possibility that detects garble and therefrom recover, and therefore be close to check and may fail garble after, and transponder is had to be in outside the venue or not and is selected.Should be to the CRC of transponder command execution, this is because CRC can widen residue relay attack window.In a kind of embodiment in back, reader can detect garble, and restarts contiguous checked operation (certainly, using new RndC and RndR) in this case.
Each random number can be pseudo random number or true random number.Opposite with pseudo random number, true random number is to be independent of it to produce the number that criterion produces.In order to encrypt, can be considered at random based on the number of physical measurement.But pseudo random number can be the number with the least possible detecting pattern, rather than very at random.Computer program can be made pseudo random number, and this is because computer program can not be made true random number.Randomizer can be the part of transponder/reader.
In random number and the key any one can be the arbitrary sequence of numerical character, sequence or any digital code of letter.
Enforcement of the present invention relates to transponder, specifically is smart card and RFID label.Although to those skilled in the art, embodiments of the invention relate to the RFID label usually with transponder and usually based on the wired or wireless equipment that communicates that is connected with being equal to, and for clear, this describes the main reference smart card.
Reference is described embodiment hereinafter, and these and other aspects of the present invention are conspicuous, and will illustrate these and other aspects of the present invention.
Description of drawings
Following with reference to the embodiment shown in the accompanying drawing, by non-limiting example the present invention is described in more detail:
Fig. 1 shows the principle of relay attack.
Fig. 2 shows the message flow between the reader and transponder according to an exemplary embodiment of the present invention.
Fig. 3 shows the exemplary fields that can use the embodiment of the invention.
Fig. 4 shows communication system according to an exemplary embodiment of the present invention.
Fig. 5 shows the reader of another exemplary embodiment according to the present invention and the message flow between the transponder.
Embodiment
Show the scene in the accompanying drawing.In different accompanying drawings, identical Reference numeral is used for similar or identical assembly.
Exemplary embodiment of the present invention allows to stop the relay attack of transponder system.
Hereinafter, explain with reference to figure 1 what is a relay attack.
For this purpose, considered the affairs of assembly safe in utilization, described security component is intended at a certain distance rather than is used for these affairs in close proximity.
Fig. 1 shows first scene 100 of indication normal running, and wherein transponder 120 is closely adjacent with real reader 140.For example, transponder 120 can be smart card or NFC (near-field communication) phone.
Fig. 1 shows second scene 150 that the indication relay attack exists.Except transponder 120 and reader 140, in the communication path of transponder 120 and reader 140, also introduce invador 160 first communication equipment and invador 170 second communication equipment.Although the existence of additional communication devices 160,170 has the result who increases call duration time between transponder 120 and the reader 140, communication equipment 160,170 can be according to mode operation acknowledge device of not expecting or reader 120,140 usually.
Even when these equipment 160,170 were not known any key, relay attack still can be carried out.Need not user action (as the visit to a large amount of transmission) if can carry out affairs, relay attack especially can well be carried out.For example, in bus of completely taking advantage of or subway, the invador can find to have some of transponder easily, and described transponder can be in response to invasion equipment 160,170 as reader 140.It is possible communicating by letter with the some other people who holds phone in the subway station porch via mobile phone 160 or 170.This people can obtain visit, and the payment of the people in bus.This relay attack for example is applied to a large amount of transmission, also is applied to the no key port system in the vehicle.
Yet above system description only is an example that is used for stoping successful relay attack of the embodiment of the invention.Attempt scene alternative of relay attack as the invador, also might involutory method user use exemplary embodiment of the present invention, described validated user is attempted to use service on another system medium-long range ground, and described service is intended to only be used in contiguous place.For example, the content of DRM protection is only in ad-hoc location consumption or be used for paroling and need the prisoner that stays at home.Therefore, exemplary embodiment of the present invention can be applied in the scene of different technologies.
The main points of exemplary embodiment of the present invention are the response times of measuring transponder.When finishing relay attack, this will take some times.Be longer than just often (exceeding tolerance limit) when reader detects the described time, can draw the conclusion that relay attack has been installed.Transponder can be carried out same operation.
Yet this scene may go wrong: the time window that exists the wherein response of non-attacking system to import.If the bigger variation (in a system or between the system) that this window more greatly can the containment behavior, then rapid system sets apart attack is installed.According to exemplary embodiment of the present invention, solution is the time window that produces the time quantum that adds less than the fastest relay attack.Therefore, should use the relay attack window up may be little.
Fig. 2 shows a kind of communication system, has wherein implemented exemplary embodiment of the present invention.Also with reference to figure 4, reference number 420 is indicated readers, and reference number 440 indication transponders.Fig. 2 has also distinguished security 205 and the modem chip of transponder 440 or the difference between the function of transponder 440.Reader 420 is considered to the combination of reader chip part 215 and application-specific 220.Along the horizontal direction of Fig. 2, show the incident in the communication system that transponder 440 and reader 420 form.Along the vertical direction of Fig. 2, drawn the time.
Fig. 2 at length shows embodiments of the invention and how to work.
In step 0, after the known in itself anti-collision process, reader 420 can be selected a transponder in a-n radio range a-n, so that further communication.In transponder 440, when the order of the RAC1 of first that is used for the relay attack check arrived, the storage first random number RA NDOM #1 made it ready in write buffer.
In step 1, use 220 (for example, being positioned at the microcontroller place that is connected to reader chip 215) and send the order and the second random number RA NDOM #2 that is used for relay attack checking R AC1 to reader chip 215.Reader chip 215 sends data to the chip 210 of transponder 440, does not further handle.
In step 2, card 440 sends it back the first random number RA NDOM #1 to reader 420 immediately, and the first random number RA NDOM #1 has been stored in the core of the card sheet in step 0.
In step 3, send the second random number RA NDOM #2 to the cipher processor 205 of transponder 440, described transponder 440 should numeral as the basis that produces the 3rd random number RA NDOM #3.Then, store the next one request (the overwrite first random number RA NDOM #1 then) that the 3rd random number RA NDOM #3 is used for reader 420.
In step 4, use 220 and send the second portion RAC2 that order is used for the relay attack check.This order is forwarded to pellucidly the cipher processor 205 of transponder 440.
In step 5, the cipher processor 205 couples first random number RA NDOM #1 and the second random number RA NDOM #2 encrypt, and send it back MAC (RANDOM #1, RANDOM #2) as a result to reader 420.
In step 6, use 220 and utilize the same key of using with transponder 440 that the data that receive are decrypted, or utilize same key that the first random number RA NDOM #1 and the second random number RA NDOM #2 are encrypted once more.Should point out that embodiments of the invention are not limited to symmetric key encryption.Can also use Public Key Infrastructure or the similar MAC of finishing.Whether then, use 220 checks the second random number RA NDOM #2 that sends before consistent with the first random number RA NDOM #1 that receives before.
In step 7, carry out the check whether in special-purpose time window, receive the first random number RA NDOM #1, and authentication response device 440 whether effectively.If condition all is true, then owing to following reason is not destroyed connection between reader 420 and the transponder 440:
A) receive the first random number RA NDOM #1 in the frame in effective time; And
B) the first random number RA NDOM #1 is clearly from effective response device 440.
Owing to do not need complicated calculating, step 1 is immediately following after the step 2.In addition, the response time can not suffer remarkable shake, if having complicated ciphering process then remarkable shake can occur.Therefore, can make the effective time window very little.Then, time loss verification process operation " does not have excitation ".Correspondingly, the complete disconnection response time and the measurement of verification process.
Hereinafter, also will explain other considerations.
Embodiments of the invention are based on challenge (challenge)-response protocol, yet calculate the response based on challenge when not required.
Can accurately determine timing based on the random number of message RAC1 that sends and reception.
In chain, only there is assembly with low jitter.Therefore, can there be very little residue relay attack window.
For the forgery of detect-message, send RANDOM #1 and the RANDOM #2 of MAC.SAM or use 220 the check described response.
The invador can not calculate MAC.
On the principle, the RAC2 order is too much.Also can under the situation that does not have request, send RANDOM #1 and the RANDOM #2 of MAC.
Agreement allows repeatedly to carry out the relay attack check in session, so random number #3.If do not need to check again, then omit this operation.But use for other, for example the lawful owner of equipment need treat can execution cycle property to check again at contiguous place when using service.
For example, for mobile phone or reader, non-forgery clock is effective supposition.Yet, but for example for contactless card or when mobile phone clock time spent accurately not, for example owing to also need function when pull down battery, this is an individual problem.Under those situations, card can be synchronized with the reader clock, and reader can be a relaying reader of being distorted, so that operation is faster.
If the invador allows card with for example double speed operation, card can send response after thinking ca.80 μ s, but is actually 40 μ s.The relay attack window is ca.80 μ s-40 μ s=40 μ s.Solution at this scene is that frequency sensor is placed in the card, if close card when frequency range is operated in addition so that be stuck in.
Fig. 3 has demonstrated two different examples of communication system.
In first example of reference number 300 indication, card or mobile phone and for example send infrastructure in a large number and carry out alternately.
In second scene of reference number 350 indications, card or mobile phone and mobile phone carry out alternately.
As shown in Figure 3, the character of this system is classified as wired with trusty; Wireless with fly-by-night; And it is wired with trusty.
Hereinafter, with reference to figure 4, with the communication system of explaining according to exemplary embodiment of the present invention 400.
Communication system 400 is similar with scene shown in Figure 2, comprises reader 420 and transponder 400.
Reader 420 comprises communicatedly the processor 422 (such as microprocessor or CPU) that links to each other with receiver antenna 426 with transmitter antenna 424.Transmitter unit 422 can send communication information 428 to transponder 440.Receiver 426 can be from transponder 440 received communication message 430.Although in Fig. 4 transmitting antenna 424 and reception antenna 426 are illustrated as two different antennae, alternative can also be used single shared transceiver antenna.
Antenna 424,426 is electrically connected with processor 422, so that can send data to transmitting antenna 424 from processor 422, so that communication information 428 transmits.The communication information 430 that receives by receiver antenna 426 can also be analyzed and handle to processor 422.
Memory cell 432 such as semiconductor memory links to each other with processor 422, so that allow storage of processor 422 addressable data.In addition, show the permission user and operate the I/O unit 434 of reader 420.I/O unit 434 can comprise such as button, keypad, joystick or similar input module.Via this input module, the user can be to reader 420 input commands.In addition, I/O unit 434 can comprise the display unit such as LCD, and the display result of the process that reads of permission reader 420 for the user as seen.
Also as shown in Figure 4, transponder 440 comprise send and receiver antenna 436, such as the processor 422 and the memory 438 of microprocessor.In an embodiment, memory 438 and processor 442 can be integrated in the integrated circuit (IC), and described integrated circuit is connected with antenna 436 and is attached in the support 444 such as a chip architecture.
Can be according to wireless mode switched communication message 428,430 between entity 420,440.
For the validity determining to connect between reader 420 and the transponder 440 (promptly, be used for determining whether the connection between reader 420 and the transponder 440 is effective), at first reader 420 can send first order (being designated as RAC1 among Fig. 2) together with second random number (being designated as RANDOM #2 in Fig. 2) to transponder 440.When receiving this communication information, the communication information of Fig. 4 for example, transponder 440 can send it back the communication information 430 that comprises first random number (being designated as RANDOM #1 in Fig. 2) immediately according to the plaintext form.Therefore, transponder 440 can be replied to reduce the relay attack window with the unencrypted mode not postponing.When communication information 428 also comprises second random number (being designated as RANDOM #2 in Fig. 2), in memory 438, can store this number, this number can be used to derive the first new random number, so that transponder 440 and such as the continuous communiction session between the reader of reader 420.The processor 422 of reader 420 can be stored the use that first random number that receives is used for the back in memory 432.
Subsequently, alternatively, reader 420 sends another second request according to the mode of encrypting to transponder 440 now, requires transponder 440 to send another communication information.Yet alternatively, because transponder 44 may send second communication message to reader 420 at the volley, this another request is inessential.This second communication message can comprise first random number and second random number (being designated as RANDOM #1 and RANDOM #2) in mode that encrypt or MAC.The number of 422 pairs of receptions of processor is decrypted and can allows and will compare with first and second random numbers of storage memory 432 from first random number and second random number that transponder 440 sends.Using under the situation of MAC, the MAC that processor 422 calculates at identical message, and the MAC of result and reception compared.
Only, the communication between reader 420 and the transponder 440 is accepted as effectively responding in the scene that existence is fit to mate between first and second random numbers that send and first and second random numbers of the storing in memory 432 based on second less than predetermined threshold and transponder 440 for the first request responding time.
Those skilled in the art should be noted that the described transponder according to exemplary embodiments, described reader and described method are not limited to contactless data communication, can also be applied to wire communication.
In an embodiment, carry out to be close to mutual two-way time and check by measuring challenge-response.If the assailant wishes to install relay attack, then will inevitably introduce delay.The degree that depends on delay can detect described delay.The accuracy of time measurement and residue relay attack window depends on the realization of the non-contact front-end (PCD-CLF) of PCD (this is a reader), and this is a part of considering the PCD of contactless communication, also is the CLF of PD (this is a transponder).By this realization meeting the relay attack of using mobile phone to install is hit back.Although can utilize individual command and single response to finish check, described agreement uses three order-responses right at least.Take more time in the actual pattern of PD side random number and the calculating meeting of encryption than the time that should return response.Therefore, three parts are broken as:
1. allow PD draw the pattern of random number, and before it is finished, do not send response.
In a single day 2. challenge random number and arrive, just reply the response random number.PCD can be split as this step that a plurality of challenges-response is right.
3. carry out the check of encrypting and guarantee that numeral is not distorted.
According to embodiments of the invention, Fig. 5 shows the message flow 500 between reader 420 and the transponder 440.
Fig. 5 has provided the general introduction of contiguous check agreement, and has provided the example of contiguous inspection period message.
At first, PD sends and prepares contiguous check (PPC) order.This order PD prepares 7 byte random numbers.The PPC order only is made up of command code.For example PD utilizes successful return code to reply.After this, PCD sends contiguous check (PC) order with part or complete 7 byte random challenge.PCD can send complete 7 byte numerals immediately, at every turn only to next byte.In this order, can omit the CRC that stipulates by ISO14443-4 usually alternatively.After directly sending a bit, recommend the device that picks up counting by PCD.Then, PD must be at the place of precise time the earliest that allows early than ISO14443-4, and this is after time of delay, to utilize the part of the preparation random response of equal length to respond at minimum frame.Send this response and do not have return code.In this response, also omit all fields by the ISO14443-4 regulation.
When having received first bit of PCD response, PCD directly stops timer.The time of measuring is to send random number and receive the time that responds between the random number, and promptly minimum frame time of delay (FDT) adds two-way time (PTT).
PCD repeats to send the part random number as this right process of challenge-response, up to having exchanged 7 complete bytes.Can freely select random number to be divided into much sizes, and how many contiguous check orders PCD use as a result.In this embodiment, the right maximum number of challenge-response is seven.The order of the order that part 7 byte random numbers that collect to receive in end and remembeing receive.
Pick up counting after being recommended in the last bit of transmission, and stop when receiving first bit, this is because in fact contingent operation will be according to PCD-CLF.The difference of PCD-CLF realizes allowing the different time measuring technique, therefore allows different residue relay attack windows.Below the mode of Jian Yi work adds the fine granulation of time measurement, will cause least residue relay attack window.
The time of measuring is compared with predetermined threshold, and contactless infrastructure operator selects according to the granularity and the residue estimation of risk of the time measurement that PCD-CLF may use.After each contiguous check order, (maybe when exceeding threshold value, use overtime timer), the time of PCD checking measurements, or remember maximum time of measuring, and only test in end.If exceed threshold value, contiguous check protocol failure.
In case utilize the contiguous check complete n byte of command process (for example 7 bytes) random challenge, PCD sends the contiguous check of checking (VPC) order.This order comprises the MAC at complete 7 byte random numbers, and about the information of PD and PCD operation (being stored in the PPSE byte) speed, therefore the invador can not come operation sheet with difference (higher) speed that iso standard allows, and the acquisition time is installed attack (other checks for speed still are possible).The random number sequence that is used for the MAC input has reflected as identical division during the transmission of contiguous check order.PD should verify the MAC of input.If the mac authentication failure, PD enters the state (no longer) of not accepting other operations.
According to exemplary embodiment of the present invention, the repertoire of reader and transponder can be put upside down, so protocol streams is in other direction.This is that the system of explicit disclosure is equal to solution and is within the scope of claims.
Finally, should be noted that the foregoing description signal and unrestricted the present invention, under the prerequisite of the scope of the present invention that does not break away from the claims qualification, those skilled in the art can the many alternatives of design place.In the claims, place any reference marker of bracket should not be interpreted as limiting claim.Word " comprise " etc. do not get rid of occur being different from any claim or specification listed as a whole outside element or step.The singular reference of element is not got rid of the plural reference of this element, and vice versa.In listing the equipment claim of multiple arrangement, several in these devices can be realized by same software or hardware.Only the fact of putting down in writing in mutually different dependent claims according to certain measures can not show and can not use the combination of these measures to improve.

Claims (29)

1. a reader (420), be used to be determined to the validity of the connection of transponder (440), wherein, described reader (420) is designed to measure the response time of transponder (440) and comes authentication response device (440) with two separation steps, wherein, at least a portion that between reader (420) and transponder (420), comprises the data that are used to authenticate during the measurement of response time in the communication information of transmission.
2. reader according to claim 1 (420), wherein, described reader (420) is designed to measure the response time based on ordering (RAC1) from the time interval between first random number (RANDOM #1) of transponder (440) with receiving in response to first sending first order (RAC1) to described transponder (440).
3. reader according to claim 2 (420), wherein, whether consistent described reader (420) be designed to authenticate described transponder (440) based on the assessment of first random number (RANDOM#1) of measuring the response time in the encryption that receives first random number (RANDOM#1) that first random number (RANDOM #1) that is used to measure the response time receives from transponder (440) afterwards and being used to of receiving.
4. reader according to claim 1 (420), wherein, described reader (420) is designed to measure the response time based on ordering (RAC1) from the time interval between first random number (RANDOM #1) of transponder (440) together with second random number (RANDOM #2) with receiving in response to first sending first order (RAC1) to described transponder (440).
5. reader according to claim 4 (420), wherein, whether consistent described reader (420) be designed to come authentication response device (440) based in the assessment of the encryption of encryption that receives second random number (RANDOM#2) that first random number (RANDOM #1) that is used to measure the response time receives from transponder (440) afterwards and first random number (RANDOM #1) and first random number that is used to measure the response time (RANDOM #1) that receives and second random number (RANDOM#2).
6. according to claim 3 or 5 described readers (420), wherein said reader (420) is designed to have only when determining that the time interval in the preset time window and the communication speed that has consistency and transponder (a 440) operation and the transponder (440) that reader (420) the is thought communication speed of operating when identical, thinks that just the connection of transponder (440) is effective.
7. reader according to claim 1 (420), wherein said reader (420) are designed to be split as the data that are used to authenticate of a plurality of communication informations and/or be used for the contiguous data of checking with transponder (440) exchange.
8. reader according to claim 4 (420), wherein, described reader (420) is designed to send first order (RAC1) under the situation of no cyclic redundancy check (CRC).
9. reader according to claim 1 (420), wherein, described reader (420) is designed to: receive the communication information that comprises cyclic redundancy check (CRC) from transponder (440), wherein said cyclic redundancy check (CRC) is according to sending to transponder (440) message and calculating from the message that transponder (440) receives; And when in detecting the communication information that comprises cyclic redundancy check (CRC), having garble, think ineffectivity with the message of transponder (440) exchange.
10. reader according to claim 4 (420), wherein, reader (420) is designed to receive the communication information comprise cyclic redundancy check (CRC) from transponder (440), and wherein said cyclic redundancy check (CRC) is produced based on the message (RAC1) that receives from reader (420), splice with first random number (RANDOM #1) and second random number (RANDOM #2) by transponder (440).
A 11. transponder (440), be used to be determined to the validity that reader (420) connects, wherein, described transponder (440) is designed to be provided for to described reader (420) information of response time measurement, and be provided for the information that authenticates with two separation steps to described reader (420), wherein, at least a portion that between reader (420) and transponder (440), comprises the data that are used to authenticate during the measurement of response time in the communication information of transmission.
12. transponder according to claim 11 (440), wherein, described transponder (440) is designed to send first random number (RANDOM #1) to reader (420), is used for measuring in response to the response time of first order (RAC1) that receives from transponder (440).
13. transponder according to claim 12 (440), wherein, described transponder (440) is designed to send unencrypted first random number (RANDOM #1) to reader (420), is used for the response time measurement.
14. transponder according to claim 12 (440), wherein, described transponder (440) is designed to send first random number (RANDOM #1) in response to first order (RAC1) that comprises second random number (RANDOM #2).
15. transponder according to claim 14 (440), wherein, described transponder (440) is designed to produce and store the 3rd random number (RANDOM #3) based on second random number (RANDOM #2), is used for session in the future to substitute first random number (RANDOM #1).
16. transponder according to claim 14 (440), wherein, described transponder (440) is designed to send second order (RAC2) that first order (RAC1) sends from described transponder (440) afterwards afterwards receiving, and sends the encryption of first random number (RANDOM #1) and the encryption of second random number (RANDOM #2).
17. transponder according to claim 11 (440), wherein, described transponder (440) is designed to analyze the communication information that exchanges with reader (420), whether definite response device (440) is positioned at the vicinity of reader (420) thus, and stops communication when definite response device (440) is not positioned at reader (420) contiguous.
18. transponder according to claim 11 (440), wherein, described transponder (440) is designed to be split as the data that are used to authenticate of a plurality of communication informations and/or be used for the contiguous data of checking with reader (420) exchange.
19. transponder according to claim 12 (440), wherein, described transponder (440) is designed to send first random number (RANDOM #1) together with cyclic redundancy check (CRC) to reader (420).
20. transponder according to claim 11 (440), wherein, described transponder (440) is designed to send the information of communication information together with the timing of having indicated the communication between transponder (440) and the reader (420) to reader (420), and described information has specifically been indicated speed.
21. transponder according to claim 11 (440), wherein, described transponder (440) is designed to detection and limit frequency remains the relay attack window so that limit, wherein said frequency is as lower frequency: in case as described in frequency beyond boundary, then described transponder (440) is operated to stop and the communicating by letter of reader (420).
22. transponder according to claim 14 (440), be designed to produce the communication information that comprises cyclic redundancy check (CRC), wherein said cyclic redundancy check (CRC) is based on that the message (RAC1) that receives from reader (420), splice with first random number (RANDOM #1) and second random number (RANDOM #2) produces.
23. one kind is used for the method for validity that reader (420) is determined to the connection of transponder (440), described method comprises:
Send first order (RAC1) together with second random number (RANDOM #2) to described transponder (440),
Receive first random number (RANDOM #1) from described transponder (440),
Receive the encryption of first random number (RANDOM #1) and the encryption of second random number (RANDOM #2) from described transponder (440),
The same key of utilizing transponder (440) to use is decrypted the number that receives, or utilizes described key that first random number (RANDOM #1) and second random number (RANDOM #2) are encrypted,
Whether check is consistent with first random number (RANDOM #1) and second random number (RANDOM #2) of the conduct encryption that receives from transponder (440) with second random number (RANDOM #2) from first random number (RANDOM #1) that described transponder (440) receives
Check first random number (RANDOM #1) whether in the preset time window, to receive and
If the result of check is true, think that then being connected to of transponder (440) is effective.
24. method according to claim 23 also comprises:
Reception is ordered (RAC1) first random number (RANDOM #1) from described transponder (440) in response to first,
Sending first order (RAC1) afterwards to described transponder (440) transmission second order (RAC2),
Reception is in response to the encryption of second order (RAC2) from first random number (RANDOM #1) of transponder (440).
25. one kind is used for the method for validity that reader (420) is determined to the connection of transponder (440), described method comprises:
Send first order together with second random number to described transponder (440),
Receive first random number from described transponder (440),
To first message authentication code (MAC) of transponder (440) transmission based on first random number and the generation of second random number,
From second message authentication code (MAC) of transponder (440) reception based on first random number and the generation of second random number,
Check second message authentication code (MAC) whether effective,
Check first random number whether in the preset time window, to receive and
If the result of check is true, think that then being connected to of transponder (440) is effective.
26. one kind is used for the method for validity that transponder (440) is determined to the connection of reader (420), described method comprises:
Receive first order (RAC1) together with second random number (RANDOM #2) from described reader (420),
Send first random number (RANDOM #1) to described reader (420),
Send the encryption of first random number (RANDOM #1) and the encryption of second random number (RANDOM #2) to described reader (420).
27. one kind is used for the method for validity that transponder (440) is determined to the connection of reader (420), described method comprises:
Receive first order and second random number from described reader (420),
Send first random number to described reader (420),
From first message authentication code (MAC) of described reader (420) reception based on first random number and the generation of second random number,
Check first message authentication code (MAC) whether effective,
When first message authentication code (MAC) is effective, to second message authentication code (MAC) of reader (420) transmission based on first random number and the generation of second random number.
28. the computer-readable medium of a storage computation machine program, when processor (422,442) computer program, suitable realization of described computer program or control are according to the method for claim 23 or 25 or 26 or 27.
29. a program unit, when processor (422,442) executive program unit, suitable realization of described program unit or control are according to the method for claim 23 or 25 or 26 or 27.
CN2008801294151A 2008-05-26 2008-11-03 Decoupling of measuring the response time of a transponder and its authentication Pending CN102047606A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP08104094 2008-05-26
EP08104094.1 2008-05-26
PCT/IB2008/054566 WO2009144534A1 (en) 2008-05-26 2008-11-03 Decoupling of measuring the response time of a transponder and its authentication

Publications (1)

Publication Number Publication Date
CN102047606A true CN102047606A (en) 2011-05-04

Family

ID=40869128

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008801294151A Pending CN102047606A (en) 2008-05-26 2008-11-03 Decoupling of measuring the response time of a transponder and its authentication

Country Status (8)

Country Link
US (1) US10044512B2 (en)
EP (1) EP2291947B1 (en)
JP (1) JP2011523798A (en)
KR (1) KR20110030486A (en)
CN (1) CN102047606A (en)
BR (1) BRPI0822741B1 (en)
MX (1) MX353765B (en)
WO (1) WO2009144534A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103024736A (en) * 2011-09-28 2013-04-03 国民技术股份有限公司 Communication connecting method and device
CN103095346A (en) * 2011-11-04 2013-05-08 Nxp股份有限公司 Proximity assurance for short-range communication channels
CN105046177A (en) * 2014-04-29 2015-11-11 恩智浦有限公司 Proximity check for communication devices
CN106534171A (en) * 2016-12-02 2017-03-22 全球能源互联网研究院 Security authentication method and device, and terminal
CN107284412A (en) * 2016-04-11 2017-10-24 阿尔卑斯电气株式会社 Keyless access system and mobile unit
CN107707527A (en) * 2017-09-01 2018-02-16 清华大学 A kind of detection method, read-write terminal and the system of smart card relay attack

Families Citing this family (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100146601A1 (en) * 2008-12-09 2010-06-10 Motorola, Inc. Method for Exercising Digital Rights via a Proxy
CN101996300A (en) * 2009-08-21 2011-03-30 中兴通讯股份有限公司 Method for sorting and counting tags in radio frequency identification system and tag
CN102034063A (en) * 2009-09-28 2011-04-27 西门子(中国)有限公司 Method for adjusting continuous wave transmission time and reader
CN102598738A (en) * 2009-10-14 2012-07-18 皇家飞利浦电子股份有限公司 A method for operating a node in a wireless sensor network
US9317572B2 (en) 2010-03-31 2016-04-19 Cloudera, Inc. Configuring a system to collect and aggregate datasets
US9082127B2 (en) 2010-03-31 2015-07-14 Cloudera, Inc. Collecting and aggregating datasets for analysis
US9081888B2 (en) 2010-03-31 2015-07-14 Cloudera, Inc. Collecting and aggregating log data with fault tolerance
US8874526B2 (en) 2010-03-31 2014-10-28 Cloudera, Inc. Dynamically processing an event using an extensible data model
US8667267B1 (en) * 2011-01-31 2014-03-04 Gazzang, Inc. System and method for communicating with a key management system
WO2012129641A1 (en) 2011-03-25 2012-10-04 Certicom Corp. Interrogating an authentication device
US8880592B2 (en) 2011-03-31 2014-11-04 Cloudera, Inc. User interface implementation for partial display update
CA2832348C (en) 2011-05-06 2018-07-24 Certicom Corp. Managing data for authentication devices
EP2538363B1 (en) * 2011-06-24 2016-04-13 Siemens Aktiengesellschaft Encrypted transfer of satellite navigation data
US9128949B2 (en) 2012-01-18 2015-09-08 Cloudera, Inc. Memory allocation buffer for reduction of heap fragmentation
US9172608B2 (en) 2012-02-07 2015-10-27 Cloudera, Inc. Centralized configuration and monitoring of a distributed computing cluster
WO2013172913A2 (en) * 2012-03-07 2013-11-21 The Trustees Of Columbia University In The City Of New York Systems and methods to counter side channels attacks
US9405692B2 (en) 2012-03-21 2016-08-02 Cloudera, Inc. Data processing performance enhancement in a distributed file system
US9338008B1 (en) 2012-04-02 2016-05-10 Cloudera, Inc. System and method for secure release of secret information over a network
CN103379491A (en) * 2012-04-12 2013-10-30 中兴通讯股份有限公司 User terminal, cipher transaction terminal, system and method used for cipher verification
US9842126B2 (en) 2012-04-20 2017-12-12 Cloudera, Inc. Automatic repair of corrupt HBases
CN102673515B (en) * 2012-05-23 2016-08-31 杨涛 The passive of anti-relay attack based on RFID is unblanked and startup method without key
DE102012104955B4 (en) * 2012-06-08 2022-02-17 Kiwi.Ki Gmbh Method for cryptographically secured proof of the presence of an identity token in the area of an identity sensor, and system for such a method
US9753954B2 (en) 2012-09-14 2017-09-05 Cloudera, Inc. Data node fencing in a distributed file system
US9369290B2 (en) * 2012-11-30 2016-06-14 Certicom Corp. Challenge-response authentication using a masked response value
US9727720B2 (en) 2012-11-30 2017-08-08 Certicom Corp. Challenge-response authentication using a masked response value
FR3001309B1 (en) * 2013-01-24 2015-01-09 St Microelectronics Rousset METHOD OF PROCESSING TRANSMISSION ERRORS, IN PARTICULAR THOSE RESULTING FROM NOISE, IN CONTACTLESS COMMUNICATION BETWEEN A CARD AND A READER.
EP2949095B1 (en) 2013-01-25 2018-10-03 Bundesdruckerei GmbH Carrying out a position-dependent cryptographic operation with a position-dependent cryptographic key
DE102013201730A1 (en) * 2013-02-04 2014-08-07 Bundesdruckerei Gmbh Method for providing position data for smart card, involves executing smart card function in which position data is used as position data indicative of current position of smart card when localization unit is in spatial maximum distance
US9342557B2 (en) 2013-03-13 2016-05-17 Cloudera, Inc. Low latency query engine for Apache Hadoop
US9698991B2 (en) 2013-03-15 2017-07-04 Ologn Technologies Ag Systems, methods and apparatuses for device attestation based on speed of computation
US10177915B2 (en) 2013-03-15 2019-01-08 Ologn Technologies Ag Systems, methods and apparatuses for device attestation based on speed of computation
US9456344B2 (en) 2013-03-15 2016-09-27 Ologn Technologies Ag Systems, methods and apparatuses for ensuring proximity of communication device
EP2973203B1 (en) * 2013-03-15 2023-06-21 OLogN Technologies AG Systems, methods and apparatuses for device attestation based on speed of computation
US8930045B2 (en) * 2013-05-01 2015-01-06 Delphi Technologies, Inc. Relay attack prevention for passive entry passive start (PEPS) vehicle security systems
EP2995061B1 (en) 2013-05-10 2018-04-18 OLogN Technologies AG Ensuring proximity of wifi communication devices
US9071971B2 (en) * 2013-07-24 2015-06-30 Cellco Partnership Adaptive and context based NFC access control filtering
US9455998B2 (en) 2013-09-17 2016-09-27 Ologn Technologies Ag Systems, methods and apparatuses for prevention of relay attacks
US9477731B2 (en) 2013-10-01 2016-10-25 Cloudera, Inc. Background format optimization for enhanced SQL-like queries in Hadoop
US9934382B2 (en) 2013-10-28 2018-04-03 Cloudera, Inc. Virtual machine image encryption
US9690671B2 (en) 2013-11-01 2017-06-27 Cloudera, Inc. Manifest-based snapshots in distributed computing environments
US10171635B2 (en) 2013-12-04 2019-01-01 Cloudera, Inc. Ensuring properly ordered events in a distributed computing environment
JP2015122620A (en) * 2013-12-24 2015-07-02 富士通セミコンダクター株式会社 Authentication system, authentication method, authentication device, and authenticated device
US9386181B2 (en) 2014-03-31 2016-07-05 Google Inc. Device proximity detection
TWI572218B (en) * 2014-07-17 2017-02-21 新力股份有限公司 Electronic device, controller and control method for nfc
US9747333B2 (en) 2014-10-08 2017-08-29 Cloudera, Inc. Querying operating system state on multiple machines declaratively
WO2016081192A1 (en) 2014-11-20 2016-05-26 Rambus Inc. Memory systems and methods for improved power management
US10120904B2 (en) 2014-12-31 2018-11-06 Cloudera, Inc. Resource management in a distributed computing environment
CN104821945A (en) * 2015-04-30 2015-08-05 南京邮电大学 Defensive system of relay attack of near-field mobile payment and realization method thereof
US11354676B2 (en) 2015-06-04 2022-06-07 Chronicled, Inc. Open registry for identity of things
US10652740B2 (en) * 2016-03-07 2020-05-12 The Alfred E. Mann Foundation For Scientific Research System and method for authenticating wireless programming devices in programmable medical systems
DE102016104771A1 (en) * 2016-03-15 2017-10-05 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. A method for generating an authentication message, method for authenticating, authentication device and authentication base device
US11107088B2 (en) * 2016-05-27 2021-08-31 Chronicled, Inc. Open registry for internet of things
US10897477B2 (en) * 2016-07-01 2021-01-19 Texas Instruments Incorporated Relay-attack resistant communications
JP6447949B1 (en) * 2017-05-11 2019-01-09 株式会社エルブズ Authentication system, authentication server, authentication method, and authentication program
US11502843B2 (en) * 2018-12-31 2022-11-15 Nxp B.V. Enabling secure internet transactions in an unsecure home using immobile token
EP3905082A4 (en) * 2019-02-12 2022-03-23 Panasonic Intellectual Property Management Co., Ltd. Remote control system
EP3825880B1 (en) * 2019-11-20 2022-10-05 Siemens Energy Global GmbH & Co. KG Protected iot device reset
KR20220099342A (en) * 2021-01-06 2022-07-13 삼성전자주식회사 Payment terminal and payment means performing payment based on payment token and method of thereof
US20240062216A1 (en) * 2022-08-17 2024-02-22 Capital One Services, Llc Systems and methods for dynamic data generation and cryptographic card authentication

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5189700A (en) * 1989-07-05 1993-02-23 Blandford Robert R Devices to (1) supply authenticated time and (2) time stamp and authenticate digital documents
JP4692826B2 (en) 2003-07-28 2011-06-01 ソニー株式会社 Information processing apparatus and method, recording medium, and program
US7222254B2 (en) * 2003-09-15 2007-05-22 Intel Corporation System and method for over-clocking detection of a processor utilizing a feedback clock rate setting
FR2862824B1 (en) * 2003-11-25 2006-02-10 Cit Alcatel METHOD FOR MANAGING COMMUNICATIONS IN A RANDOM ACCESS NETWORK WITH LONG DELAYS OF TRANSMITTING ACCESS REQUEST ACQUIREMENTS
US7523305B2 (en) * 2003-12-17 2009-04-21 International Business Machines Corporation Employing cyclic redundancy checks to provide data security
US7590880B1 (en) * 2004-09-13 2009-09-15 National Semiconductor Corporation Circuitry and method for detecting and protecting against over-clocking attacks
US7646300B2 (en) 2004-10-27 2010-01-12 Intelleflex Corporation Master tags
JP2006197458A (en) 2005-01-17 2006-07-27 Matsushita Electric Ind Co Ltd Method for authenticating distance and opposite party
EP1737179A1 (en) * 2005-06-20 2006-12-27 Thomson Licensing Method and devices for secure measurements of time-based distance between two devices
US8135958B2 (en) 2005-11-22 2012-03-13 International Business Machines Corporation Method, system, and apparatus for dynamically validating a data encryption operation
ATE434804T1 (en) * 2005-12-15 2009-07-15 Ibm METHODS AND SYSTEMS USING RADIO FREQUENCY IDENTIFICATION LABELS TO COMPARE AND AUTHENTICATE ITEMS
JP4586755B2 (en) 2006-03-22 2010-11-24 ヤマハ株式会社 General-purpose logic circuit
US20070239897A1 (en) * 2006-03-29 2007-10-11 Rothman Michael A Compressing or decompressing packet communications from diverse sources
US7957533B2 (en) * 2007-10-02 2011-06-07 Alcatel-Lucent Usa Inc. Method of establishing authentication keys and secure wireless communication

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103024736A (en) * 2011-09-28 2013-04-03 国民技术股份有限公司 Communication connecting method and device
CN103095346A (en) * 2011-11-04 2013-05-08 Nxp股份有限公司 Proximity assurance for short-range communication channels
CN103095346B (en) * 2011-11-04 2014-11-19 Nxp股份有限公司 Proximity assurance for short-range communication channels
CN105046177A (en) * 2014-04-29 2015-11-11 恩智浦有限公司 Proximity check for communication devices
CN105046177B (en) * 2014-04-29 2018-08-24 恩智浦有限公司 Communication equipment close to inspection
CN107284412A (en) * 2016-04-11 2017-10-24 阿尔卑斯电气株式会社 Keyless access system and mobile unit
CN107284412B (en) * 2016-04-11 2019-09-24 阿尔卑斯阿尔派株式会社 Keyless access system
CN106534171A (en) * 2016-12-02 2017-03-22 全球能源互联网研究院 Security authentication method and device, and terminal
CN106534171B (en) * 2016-12-02 2020-03-10 全球能源互联网研究院有限公司 Security authentication method, device and terminal
CN107707527A (en) * 2017-09-01 2018-02-16 清华大学 A kind of detection method, read-write terminal and the system of smart card relay attack

Also Published As

Publication number Publication date
US10044512B2 (en) 2018-08-07
MX353765B (en) 2018-01-24
MX2010011506A (en) 2011-03-04
EP2291947B1 (en) 2019-12-18
JP2011523798A (en) 2011-08-18
WO2009144534A1 (en) 2009-12-03
KR20110030486A (en) 2011-03-23
EP2291947A1 (en) 2011-03-09
BRPI0822741A2 (en) 2015-06-23
US20110078549A1 (en) 2011-03-31
BRPI0822741B1 (en) 2020-07-07

Similar Documents

Publication Publication Date Title
CN102047606A (en) Decoupling of measuring the response time of a transponder and its authentication
EP2247024B1 (en) Determining the validity of a connection between a reader and a transponder
US20110068894A1 (en) Method for authenticating an rfid tag
EP1755061B1 (en) Protection of non-promiscuous data in an RFID transponder
US8653938B2 (en) Method of protection in a contactless radiofrequency communication
CN104217230B (en) The safety certifying method of hiding ultrahigh frequency electronic tag identifier
EP2940882B1 (en) Proximity check for communication devices
US9047727B2 (en) Portable electronic device and method for securing such device
CN106043232B (en) Distance for transport facility radio key is determining and authenticates
US20070034691A1 (en) Using promiscuous and non-promiscuous data to verify card and reader identity
CN105450673A (en) Security protocol authentication method based on mobile RFID system
CN107392001B (en) Authorization method, system and card
JP4999193B2 (en) Portable device with fingerprint authentication function
US20050127172A1 (en) Access system
Tu et al. Lightweight non-distance-bounding means to address RFID relay attacks
TWI627551B (en) System and method for verifying non-contact sensing tags
EP2264632B1 (en) Electronic device with two communication interfaces and associated method for securing such device
EP1680768A1 (en) Access control system
CN111356136B (en) Method for security authentication of a transponder communicating with a server
Priya et al. Location Sensing For RFID Sanctuary and Solitude
KR101626962B1 (en) Transaction System of Card Information and Encryption/Decryption Server therefor
Samuel RFID security in door locks
Dakhore et al. Location Aware Selective Unlocking & Secure Verification Safer Card Forenhancing RFID Security by Using SHA-3

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1151910

Country of ref document: HK

C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20110504

REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1151910

Country of ref document: HK